LiME – Linux Memory Extractor

Mobile platform security tools are increasing and we have more open source tools that allow to conduct forensic analyses on phone devices. if you want to investigate Android operating system you can use LiME.

LiME (formerly DMD) allows to investigate file system from memory or over network, this can be used to have a full memory capture to see if there are abnormal process or services that have been used in a previous attack.

Working on the system during the analyses is not recommended as this may modify file system so LiME minimizes the interaction between user and kernel space processes during acquisition, which allows it to produce memory dumps that are more forensically sound than those of other tools designed for Linux memory acquisition.

To have the memory over TCP tunnel we need to first make the device listen on specified port which we connect from our host. when the host connect to the socket it will automatically start to get the RAM image to the host for analysis. On the host computer, we connect to this port with netcat and redirect output to a file.